Release notes 2.3.3

Product

EclecticIQ Platform

Release version

2.3.3

Release date

2019-02-12

Summary

Maintenance release containing bug fixes

Upgrade impact

Low

Time to upgrade

~30 minutes to upgrade

  • From the previous release

  • Using the installation script

  • For an instance running on one machine.

Time to migrate

n/a

EclecticIQ Platform 2.3.3 is a maintenance release. It contains a mix of fixes for bugs and security issues.

Upgrade

Upgrade path from release 2.0.x(.x) to 2.3.3:

images/download/attachments/20715760/eiq-tip-upgrade-paths.png

Important bug fixes

This section is not an exhaustive list of all the important bug fixes we shipped with this release.

  • Updating a course of action entity in the platform would result in an Elasticsearch indexing error related to the updated entity.
    The problem was due to mapping conflicts between different indices, and has now been fixed.

  • Opening the detail pane for a report with a very large text file as content would cause the web browser to hang or freeze.
    This occurred because the processing took too long and has now been fixed.

  • Opening the JSON tab on the detail pane for a report with a very large text file as content would cause the web browser to hang or freeze.
    This occurred because the processing took too long and has now been fixed.

  • Reports containing attachments of exploit target entities ingested through the CVE Search API incoming feed would also include unrelated MD5 observables ingested through the CVE Search API enrichment process.
    This has now been fixed.

  • On the Create threat actor form, the Types drop-down menu contained a typo: Cyber Espionage Operation's, instead of Cyber Espionage Operations.
    This spelling mistake has been fixed.

  • Opening the incoming feed list of a platform instance with more than 50 incoming feeds and millions of entities could take more than 1 minute.
    Loading time has now improved.

  • While attempting to manually upload a EIQ-JSON file from a 2.1.2 platform instance to a 2.3.x instance, the status of the uploaded file would display an error message: Multiple rows were found for one().
    The file upload status on the Overview tab would show Error, even though the manual upload operation ingested the entities.
    This has now been fixed.

  • Entity relationships would not merge correctly during an entity merge operation. This would result in duplicate relationships.
    This has now been fixed.

  • Clicking a PDF file name on an entity detail pane would not trigger a PDF file download.
    Now when users click a PDF file name on an entity detail pane, they are prompted to download it and save it locally.

  • Users clicking the link to a discovery rule on the Updates tab of the Notifications pop-up pane would be directed to a fully populated and unfiltered Discovery view, instead of a list containing only the items matching the selected rule criteria.
    This has now been fixed.

  • After loading objects on the graph, the graph labels of manually populated objects would change to: unnamed undefined.
    This has now been fixed.

  • The installation documentation erroneously referred to the NEO4J_PASSWORD environment variable as NEO4J_PASS.
    This has now been fixed.

Security issues and mitigation actions

The following table lists known security issues, their severity, and the corresponding mitigation actions.
The state of an issue indicates whether a bug is still open, or if it was fixed in this release.

For more information, see All security issues and mitigation actions for a complete and up-to-date overview of open and fixed security issues.

Known issues

  • Users who can access entity content, and without the appropriate access level to view feeds, can open the detail pane of an entity included in one or more outgoing feeds, and they can see the relevant outgoing feeds under Destinations.

  • Users can access resources belonging to a group, even if they are not members of that group. To do so, they can define rules where the group is set as a source. While they cannot see the group they are not a member of, they can access group resources such as datasets and entities, and they can perform actions such as merging, enriching, tagging, and so on.

  • While working on a report, analysts may want to save it, then go back to it for further editing, and then save it again, until the report is ready, and they can publish it.
    Occasionally, upon opening a saved report to edit it, some or all the content in the Analysis section of the report is missing. The other sections in the report retain their content, as expected.
    This behavior is infrequent and unpredictable.

  • Sometimes it is not possible to successfully delete or purge the content of a large incoming feed (> 1 million entities with correlations). The platform GUI grays out the feed. As a consequence, it is not possible to attempt deleting or purging it again from the GUI.
    Workaround:

    • Open a terminal session, and sign in to the platform.

    • Log in as the eclecticiq user:

      sudo -u eclecticiq


      This also starts the Python virtual environment for the platform.

    • Run the following command(s) to manually purge an incoming feed:

      eiq-platform purge-incoming-feed --incoming-feed-id=${incoming_feed_id}


      --incoming-feed-id is a mandatory argument.
      Its value is an integer corresponding to the ID of the incoming feed you want to purge.

  • Loading more than 100 objects – entities, observables, and relationships – on the graph may negatively impact GUI performance because the loaded data is heavy on memory resources.

  • Enriching entities with the Fox-IT InTELL Portal enricher returns a successful notification on the GUI, but it records an error in the /var/log/eclecticiq/task-worker-enrichers-priority.log file.
    The enrichment operation fails.

  • When exchanging data between two platform instances using STIX as a content type for the source data on the publishing platform instance, ingestion into the recipient platform instance produces a new entity for each version of an ingested entity instead of resulting in an entity that is updated with as many versions as the corresponding source entity in the publishing platform instance.
    This occurs especially when STIX entities ingested in the recipient platform instance lack a STIX ID in the publishing platform instance.

  • If package ingestion fails for a package, even after automatically attempting to ingest it again, the GUI may display a successful ingestion status for that package, although no entities were ingested.

Contact

For any questions, and to share your feedback about the documentation, contact us at [email protected] .



^ back to top